vndb/mithril-vndb
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #1425 from barneycarroll/contenteditable-childless-fix

Browse source 
Fix #1421
This commit is contained in:
Leo Horie 2016-11-24 08:18:44 -05:00 committed by GitHub
commit b4ada9284c
2 changed files with 58 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

4
render/render.js
View file

@ -135,7 +135,7 @@ module.exports = function($window) {
else { else {
var recycling = isRecyclable(old, vnodes) var recycling = isRecyclable(old, vnodes)
if (recycling) old = old.concat(old.pool) if (recycling) old = old.concat(old.pool)
var oldStart = 0, start = 0, oldEnd = old.length - 1, end = vnodes.length - 1, map var oldStart = 0, start = 0, oldEnd = old.length - 1, end = vnodes.length - 1, map
while (oldEnd >= oldStart && end >= start) { while (oldEnd >= oldStart && end >= start) {
var o = old[oldStart], v = vnodes[start] var o = old[oldStart], v = vnodes[start]
@ -347,7 +347,7 @@ module.exports = function($window) {
var content = children[0].children var content = children[0].children
if (vnode.dom.innerHTML !== content) vnode.dom.innerHTML = content if (vnode.dom.innerHTML !== content) vnode.dom.innerHTML = content
} }
else if (children != null || vnode.text != null) throw new Error("Child node of a contenteditable must be trusted") else if (vnode.text != null || children != null && children.length !== 0) throw new Error("Child node of a contenteditable must be trusted")
} }
//remove //remove

58
render/tests/test-attributes.js
View file

@ -79,9 +79,9 @@ o.spec("attributes", function() {
o.spec("canvas width and height", function() { o.spec("canvas width and height", function() {
o("uses attribute API", function() { o("uses attribute API", function() {
var canvas = {tag: "canvas", attrs: {width: "100%"}} var canvas = {tag: "canvas", attrs: {width: "100%"}}
render(root, canvas) render(root, canvas)
o(canvas.dom.attributes["width"].nodeValue).equals("100%") o(canvas.dom.attributes["width"].nodeValue).equals("100%")
o(canvas.dom.width).equals(100) o(canvas.dom.width).equals(100)
}) })
@ -95,4 +95,58 @@ o.spec("attributes", function() {
o(a.dom.attributes["class"].nodeValue).equals("test") o(a.dom.attributes["class"].nodeValue).equals("test")
}) })
}) })
o.spec("contenteditable throws on untrusted children", function() {
o("including text nodes", function() {
var div = {tag: "div", attrs: {contenteditable: true}, text: ''}
var succeeded = false
try {
render(root, div)
succeeded = true
}
catch(e){}
o(succeeded).equals(false)
})
o("including elements", function() {
var div = {tag: "div", attrs: {contenteditable: true}, children: [{tag: "script", attrs: {src: "http://evil.com"}}]}
var succeeded = false
try {
render(root, div)
succeeded = true
}
catch(e){}
o(succeeded).equals(false)
})
o("tolerating empty children", function() {
var div = {tag: "div", attrs: {contenteditable: true}, children: []}
var succeeded = false
try {
render(root, div)
succeeded = true
}
catch(e){}
o(succeeded).equals(true)
})
o("tolerating trusted content", function() {
var div = {tag: "div", attrs: {contenteditable: true}, children: [{tag: "<", children: "<a></a>"}]}
var succeeded = false
try {
render(root, div)
succeeded = true
}
catch(e){}
o(succeeded).equals(true)
})
})
}) })